Email alert on asa for successful login to asa

Answered Question
Jun 6th, 2010
User Badges:

Hi guys,


Just wanted to know how to configure the asa with email alerts for successful login to asa using telnet or asdm.


Thanks,

Jvalin

Correct Answer by Marcin Latosiewicz about 7 years 1 month ago

I don't see logging list assigned to logging mail.


logging mail list NAME_OF_LIST

Correct Answer by Marcin Latosiewicz about 7 years 1 month ago

Jvalin,


I assume you have everything but logging component configured.


How about creating a logging list of interesting syslogs and sending them?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772936

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1773126


Messages indexed:

https://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html

maybe:

710002


Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marcin Latosiewicz Sun, 06/06/2010 - 04:11
User Badges:
  • Cisco Employee,

Jvalin,


I assume you have everything but logging component configured.


How about creating a logging list of interesting syslogs and sending them?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772936

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1773126


Messages indexed:

https://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html

maybe:

710002


Marcin

jvalin__s Sun, 06/06/2010 - 04:38
User Badges:

Marcin,


Thanks for the links,I checked all those but still the mails are not working


what I did in ASDM is


1) setup the SMTP server - "internal ip address of ther mail-server"

2)configured "send from email address"

3) configured "send to email address"

4) configured "event-list" --> event-class as auth and severity - alert

                    "event-list --> event-class as config and severity - alert

5)  configured "logging filters and in the email section i gave the event-list as the severity


Any thing else am I forgetting?


Regards,

Jvalin

Marcin Latosiewicz Sun, 06/06/2010 - 04:56
User Badges:
  • Cisco Employee,

Jvalin,


Can you rather show the CLI config? No access to ASDM on my side.


-------

show run logg

show run smtp-s (or maybe show run smtp?)

--------


Marcin

Kureli Sankar Sun, 06/06/2010 - 05:21
User Badges:
  • Cisco Employee,

I remember an earlier thread that I answered a while ago. It ended up being the e-mail server not accepting e-mails from the firewall's IP address.

Pls. make sure the e-mail server is configured to accept e-mail from the firewall's IP address.


Wireshark capture on the e-mail server will be useful as well.


Just move one of the normal messages like 111008 to level 1 for testing purpose only and issue a "write mem" that should trigger an e-mail to be sent.

loggin message 111008 level 1


Once the test is done you can remove the above line.


-KS

jvalin__s Sun, 06/06/2010 - 05:41
User Badges:

logging enable

logging timestamp

logging list email-for-login level emergencies class auth

logging list email-for-login level emergencies class config

logging list email-for-login message 111008

logging history informational

logging asdm informational

logging recipient-address [email protected]

level emergencies

logging facility 23

logging debug-trace

logging class auth mail alerts
logging class config mail alerts
logging message 111008 level alerts



Is this ok guys??

jvalin__s Sun, 06/06/2010 - 05:50
User Badges:

asa5510# sh run smtp-server


smtp-server 192.168.102.50


asa5510#
Correct Answer
Marcin Latosiewicz Sun, 06/06/2010 - 06:39
User Badges:
  • Cisco Employee,

I don't see logging list assigned to logging mail.


logging mail list NAME_OF_LIST

jvalin__s Sun, 06/06/2010 - 06:44
User Badges:

logging enable

logging timestamp

logging list email-for-login level alerts class auth

logging list email-for-login level alerts class config

logging list email-for-login message 111008

logging history informational

logging asdm informational

logging mail email-for-login----------------------------------------->>>i gave it afterwards

logging from-address abc@xxx.com


logging recipient-address abc@xxx.com level alerts


logging facility 23


logging debug-trace


logging class auth mail alerts


logging class config mail alerts


logging message 111008 level alerts


Its working now guys Thanks to both of you.

jvalin__s Sun, 06/06/2010 - 06:51
User Badges:

Guys,


By configuring these commands,

I am getting alerts only when anybody configures using ASDM,


but not by command line.


Any ideas greatly appreciated.


Regards,

Jvalin

Marcin Latosiewicz Sun, 06/06/2010 - 07:31
User Badges:
  • Cisco Employee,

710002 would the message you're looking forward when someone logs in.  I'd have to dig in a bit more to see what ASDM puts in syslogs. Or you can check it by monitoring logging to other facilities.

Kureli Sankar Sun, 06/06/2010 - 10:58
User Badges:
  • Cisco Employee,

Are you looking for these messages?



When you ssh to the unit you see the following:
Jun 06 2010 13:03:07: %ASA-6-605005: Login permitted from 10.117.14.66/56023 to 172-net:172.18.254.34/ssh for user "cisco"
Jun 06 2010 13:03:09: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:03:09: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:03:09: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:03:09: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:03:09: %ASA-5-111008: User 'cisco' executed the 'enable' command.


When you telnet to the unit you see the following.

Jun 06 2010 13:04:16: %ASA-6-605005: Login permitted from 192.168.2.2/1308 to inside:192.168.2.1/telnet for user ""
Jun 06 2010 13:04:20: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:04:20: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:04:20: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:04:20: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:04:20: %ASA-5-111008: User 'enable_1' executed the 'enable' command.


Both ssh and telnet log the same syslog messages. Which ever message you are interested in just add them to the mail list.


-KS

Actions

This Discussion